Microsoft launches 3 bounty programs to award security folk up to $100,000 for finding flaws in its code

Today Microsoft has announced three new bounty programs to both drive engagement with the security community, and work more proactively to amend its software to avoid exploitable flaws. Let’s be frank about two things: Microsoft has a troubled past of software that was open for attack, and secondly that the company has done well in the past half decade to lock down its code.

However, threats remain, and so long as its code is a target, the company has to find where the ladders could be attached the walls at Helm’s Deep, and where the drain culvert may be, as Legolas is fallible.

To that end, Microsoft today announced three new bounty programs with big-ticket dollar rewards for security work that knocks its socks off. A persistent prize, the “Mitigation Bypass Bounty,” will award up to $100,000 to security folk who find holes in the security of Microsoft software. There is no cap on the number of people who can earn the bounty, and Microsoft has no time limit on its run.

The second is a smaller dollar “BlueHat Bonus for Defense” program that will award up to $50,000 for blocking holes that have been found.

I asked, and you can win both: find a key security issue, and propose a neat fix, and in theory Microsoft may bestow $150,000 on your shoulders. In other news, I’m quitting TNW to pursue an active career in software security.

The final new bounty is time constrained: You have 30 days following the release of Windows 8.1 and Internet Explorer 11 to find its flaws. Security dudes and dudets can lock down up to $11,000 – get it? – for finding bugs in the new browser. Why such a short window? Microsoft wants to find the issues, and then fix them before 8.1 goes full public. This is the beta period for the browser in more ways than one.

Microsoft should spend heavily in this area. And, given the above, it appears to agree. The final question is this: is $100,000 enough to stop someone from exploiting a flaw and instead reporting it?